nothing seems to be happening, I tried running as custom command & saving as firewall, also when I enter “iptables -t mangle -vnL POSTROUTING” after nothing is changing, I’m using my router as a repeater and I’m trying to add these firewall settings to hide my mobile hotspot tether usage, any help would be appreciated. Wiki page https://wiki.dd-wrt.com/wiki/index.php/Iptables#Modifying_the_TTL
Joined: 31 Jul 2021 Posts: 2145 Location: All over YOUR webs
Posted: Fri May 27, 2022 17:51 Post subject:
A lower/higher TTL is not going to hide any mobile devices tether usage.
TTL aka Time To Live is a setting that determines how long data (in packet form) is valid and available from within a network before the router clears it.
Usually its used as response to e.g. DDoS attacks and not to hide any type of usage. Never heard of it, if for instance someone was already looking at your incoming/outgoing traffic, it wont protect you or hide anything.
A lower/higher TTL is not going to hide any mobile devices tether usage.
TTL aka Time To Live is a setting that determines how long data (in packet form) is valid and available from within a network before the router clears it.
Usually its used as response to e.g. DDoS attacks and not to hide any type of usage. Never heard of it, if for instance someone was already looking at your incoming/outgoing traffic, it wont protect you or hide anything.
Actually you can, example 3 even says so, also when I tether to my Mac or other iOS devices even some android devices my carrier isn't able to notice that I’m tethering, I can tell because after using all my allowed data those devices don’t get throttled but when I connect my Xbox it does get throttled, people have changed their ttl settings on windows pc & android devices etc to get this to work, this guy here explains it the best https://forums.macrumors.com/threads/ttl-modification-to-cloak-tethered-packets-lets-make-them-work-harder-to-catch-us.1140306/
instead of 128 you can also try 65 or use:
-j TTL --ttl-inc 1
Note that -I is a capital i
Set this rule from the CLI (telnet/Putty) and check with:
iptables -vnL -t mangle
It is possible that the module with TTL is not compiled in as your router has only 16 MB flash
Thanks, Yea I’ve tried that but it doesn’t seem to change anything, is there any way to find out if it’s a problem with the module u mentioned? So I ended up updating ddwrt and iptables is now V1.8.5 and I’m getting unknown option for —ttl-set & —ttl-inc, when i look at —help for the v1.3.7 and V1.8.5 I don’t see anything for —ttl-set but it didn’t get that error on the earlier version.
Last edited by Itsyaboy on Sat May 28, 2022 17:48; edited 2 times in total
Joined: 16 Mar 2019 Posts: 353 Location: Szczecin, Poland EU
Posted: Sat May 28, 2022 18:36 Post subject:
I'm use that two instructions
iptables -t mangle -I POSTROUTING 1 -o vlan2 -j TTL --ttl-set 65
iptables -t mangle -I PREROUTING 1 -i vlan2 -j TTL --ttl-set 65
Sometimes you shouldn't see changes when you test this configuration on windows systems. That working for only vlan2 interface = only WAN port. When you connect to switch on router or via wireless you use br0 interface. I have changed ttl only for vlan2 and I'm forced it manually - switch -o <interface name> and -i <interface name>.
instead of 128 you can also try 65 or use:
-j TTL --ttl-inc 1
Note that -I is a capital i
Set this rule from the CLI (telnet/Putty) and check with:
iptables -vnL -t mangle
It is possible that the module with TTL is not compiled in as your router has only 16 MB flash
Thanks, Yea I’ve tried that but it doesn’t seem to change anything, is there any way to find out if it’s a problem with the module u mentioned? So I ended up updating ddwrt and iptables is now V1.8.5 and I’m getting unknown option for —ttl-set & —ttl-inc, when i look at —help for the v1.3.7 and V1.8.5 I don’t see anything for —ttl-set but it didn’t get that error on the earlier version.
instead of 128 you can also try 65 or use:
-j TTL --ttl-inc 1
Note that -I is a capital i
Set this rule from the CLI (telnet/Putty) and check with:
iptables -vnL -t mangle
It is possible that the module with TTL is not compiled in as your router has only 16 MB flash
Thanks, Yea I’ve tried that but it doesn’t seem to change anything, is there any way to find out if it’s a problem with the module u mentioned? So I ended up updating ddwrt and iptables is now V1.8.5 and I’m getting unknown option for —ttl-set & —ttl-inc, when i look at —help for the v1.3.7 and V1.8.5 I don’t see anything for —ttl-set but it didn’t get that error on the earlier version.
It looks like the TTL target is not present in your build.
What’s the best way to make sure everything is erased off the router? Like all settings and commands etc, I’m having some weird issues with ssh not working on certain apps or terminals now I’m unable to ssh at all.
I would recommend you upgrade to latest build and reconfigure from scratch, do not restore any backups.
Ok thanks, I found it weird that when I used tfpd32 to get back to stock to then go back to ddwrt, all my ddwrt setup was still there.. shouldn’t that have erased it all?
Last edited by Itsyaboy on Sat May 28, 2022 22:07; edited 2 times in total
I'm use that two instructions
iptables -t mangle -I POSTROUTING 1 -o vlan2 -j TTL --ttl-set 65
iptables -t mangle -I PREROUTING 1 -i vlan2 -j TTL --ttl-set 65
Sometimes you shouldn't see changes when you test this configuration on windows systems. That working for only vlan2 interface = only WAN port. When you connect to switch on router or via wireless you use br0 interface. I have changed ttl only for vlan2 and I'm forced it manually - switch -o <interface name> and -i <interface name>.
How do I find my interface on windows? I think I’m going to give this a shot there to see if it even works before I go further trying to figure this out on my router, also, would I apply this to the interface receiving the internet connection or outputting? Want to try this with windows 10 hotspot.
If the router IP is different enter that instead. Only via SSH I recommend running those iptable commands.
To enable SSH see the Services tab and look for the Secure Shell section.
Ok thanx, yea I don’t know why but I kept getting connection refused even tho I had ssh on, I ended up switching to openwrt and finally got this to work! Wish I could figure out why iptables wasn’t working properly on ddwrt tho :/
If anyone wants to give this a try I used “ iptables -t mangle -A POSTROUTING -j TTL --ttl-set 65” in custom firewall settings and I had to upgrade iptables-mod-ipopt with opkg upgrade
